Securing Bitcoin
My [C]omputer is full of hackers
I don’t like being hit with [W]renches
My thieves are talented and technically [A]dvanced
Cryptocurrencies are new. The idea of having a little bit of data, a handful of words being worth serious money to anyone who has them is fairly new. Most people haven’t spent a few years thinking about it or helping people with it. I have. I’d like to lay out some thoughts.
The information needed to access a bitcoin wallet vary with the client software used. Here are some examples just to show the sorts of things people need to protect:
An electrum 12-word seed:
toilet response unique father mutual cram twelve bless pen drip train also
(Along similar lines, it could be a 12-word, 18-word or 24-word BIP39 string)
A plain old single address key:
5KCGBUYtXVqiCc8khN8KPRikwGN12vHBy4vFDt7paGhJkxKM7fL
A plain compressed single address key:
L3Ji1EbkRcHzrE5DsAFJ9z7JvWoh9UATQUJ1mrd6yrGuNzGFZg3h
A bitcoin wallet is a collection of one or more bitcoin private keys and associated bitcoin addresses. Generally all the funds available to all the addresses in a wallet are presented to a user as a single balance and the user is able to spend from them without managing which exact payment a transaction comes from.
Put another way, a wallet is like a physical wallet. It could be empty, it could have a bunch of bills in it. If someone has it, they can spend it.
I’ve arranged the threats roughly in the order I’ve seen them happen and think they are likely to happen to people. Take a special note of the order. Most of the bitcoin loss cases we hear about are people doing something to themselves, not thieves or hackers.
I used to know a thing and I don’t any more. It was probably a password. This covers simply forgetting or having a traumatic brain injury or being dead rendering recovering whatever was lost impossible. This is the most common problem people have with Bitcoin things.
I had a thing but don’t have it any more. The next most common problem is that people lose stuff. We aren’t really used to having data or a scrap of paper actually be worth something. People write their passwords or seeds or codes down and then promptly throw that paper into the sun for all the good it does anyone once it is lost. Or maybe the file with the thing is on a drive that was tossed in a landfill or that house got flooded and belongs to the troggs now.
I send the bitcoin to an address that happened to be in my copy/paste buffer rather than the correct one. I accidentally sent the amount I wanted to send as the fee rather than the amount. I am a complete drunken disaster.
Consider this, you are a hacker. You write programs that if they run on someone’s computer will do anything that makes you money. It could be get access to their World of Warcraft account to sell that sweet wow gold (aka, why Blizzard started pushing 2-factor auth). It could be spam all their email contacts. It could be encrypt their files and charge them to decrypt them. You could join their computer to a powerful botnet to do things. Any of these are pretty low return propositions, but now we have a new one, if they have a bitcoin wallet on the computer that is easy money fast. There are absolutely malware programs out there that look for and steal bitcoin from people. Especially if the software is designed for bitcoin users in some way, what better way to get a target rich environment? Or pose as software people want and trust but with a slightly different domain name. This is why you check GPG signatures.
You have read this document and others and come up with some scheme to secure your bitcoin against all comers via an elaborate series of hidden encrypted passphrases and stenography that even MI-6 won’t be able to crack. That was 18 months ago and now you have no idea. You know it involves putting the salt shaker on an RFID reader but after that you are lost. You’ve outsmarted yourself. Good job.
Your smartwatch is so fancy that thieves followed you home from the mall and staked out the place until you were gone. They have gone in and taken every scrap of paper, every computer, every hardware wallet and hauled it off to extract your sweet sweet bitcoin. Or maybe they were regular thieves who are now wise to this cryptocurrency thing and were watching some of these things.
You did everything right, you found good software and secured the recovery strings well. You have your keys but now the wallet software you were using doesn’t run. Maybe it runs on Windows and you can’t find a windows computer outside of a museum anymore. Maybe the software that can extract those recovery strings is long gone and github has long ago turned into a techno-themed porn site. Even if you got the software to run it depends on a server that no longer exists and doesn’t run and even if it could run it is now way to slow to manage the current block chain size.
I won’t get into this one too much with various solutions, but a smart thing to do would be:
With these two things, worse case you can find some clever sausage to help you recover things years later.
The thieves know that you are fancy and they read XKCD (https://xkcd.com/538/) and decide they are going to kidnap you or invade your house and beat you until you transfer your bitcoin to them.
The thieves aren’t going to do a quick smash and grab. They are going to come in quiet and solder extra connections on your hardware wallets. They are going to install cameras and keyloggers to capture your pins. Your cat is already working for them, but he was an easy turncoat.
I’m going to try to keep my proposed solutions simple and concrete, recommending specific software or components to be easy to follow. However, I’m not suggesting the things here are the only solutions.
A word of warning. Some of these things are complicated. All of them are easy to screw up with disastrous consequences. With bitcoin, no one can save you from your actions. Be sure of what you are doing. Ask questions and more importantly do tests. Test restoring from your seed. Test your backups. Test your understanding and make sure things make sense to you. You can also play with things on something called testnet. It is a bitcoin network used for testing but everything works just the real network. You can get testnet coins for free to test with and see how things work.
This would be suitable if Bitcoin isn’t a huge thing for you. You aren’t worried about advanced thieves. You want to keep your surface area for other attacks low, but you aren’t going to go nuts.
This protects you from losing a thing or forgetting a thing. With the encrypted wallet file you are also safe from most malware, the malware would have to capture your keystrokes or the keys from memory while electrum was running. You aren’t outsmarting yourself. Thieves can walk off with all your things without much worry (unless your computer is set with no password and your browser automatically logs in as you, then they might be able to get it from Keep.) If your stuff gets stolen, you’ll want to at least change your Google password and deauth any devices that were taken. Making a new wallet and moving your funds wouldn’t be a bad idea.
Protects against: FLSD
Partial protects against: CH
Vulnerable to: WAM
A Trezor is hardware wallet device with a little screen and two buttons. The idea is that it generates and keeps the keys without them ever going onto a computer. You can protect the Trezor itself with a PIN. When generating a key it instructs the user to write down the recovery seed on a bit of paper as well.
The problem there is that if you don’t set a PIN or have a bad one, the Trezor itself can be stolen. If you have a good PIN, then you have the standard problems of (F)orgot and (L)ost. Same goes for the bit of paper with the recovery seed.
Protects against: SDC
Partial protects against: FLHA
Vulnerable to: WM
Ok, it is time to get serious. First you setup a known clean system. You install linux on a laptop. You enable disk encryption because why not.
You use keepassx to make an encrypted password database that you keep somewhere impossible to lose, like Dropbox or Google Drive or equivalent. You crank up the rounds of key hashing to make that really really hard for someone to brute force. Like over 10,000,000 rounds. It takes half a minute to open the file even with the right password, but you don’t care. You pick a decent long password (like a phrase from http://correcthorsebatterystaple.net/ ). You memorize that.
Everything goes into that password database. It stores your electrum seeds.
You only open the password database or use that electrum seed on that clean linux system. You don’t do anything else with it.
Now your only real problem is the password for that encrypted password database. You protect that by using something like Shami's Secret Sharing Scheme to store the password. The idea is that let’s say you have 4 friend or relatives that you trust to not lose a piece of paper. Add yourself and you have 5 locations to store something. So you do ssss with lets say 3 of 5. That means, if you can get at least 3 of the pieces you can recover the password. Anyone with 2 or fewer can’t get any clue about your password, other than maybe the length. You can get a solid implementation of ssss here or the debian package named ‘ssss’. The advantage of this is that you are only using ssss for the password for the encrypted database, that way if you change your electrum seeds or add more seeds for different things or add other secrets to your database, you don’t have to bother all the folks holding puzzle pieces for you. You just backup the encrypted database however you are doing that. You don’t have to give all your people new bits of paper. A good trick is to also laminate the sheets you give people, laminators are cheap and people are less likely to discard a laminated piece of paper. It also protects against water damage.
Protects against: DFLH
Partial protects against: SC
Vulnerable to: WAM
You do everything in moderately fancy but you are worried that some of the software you are using in your secure computer might be compromised. Maybe someone sneaks some code into a Debian package or the Electrum software you downloaded was somehow compromised. You’d like to protect against that.
So instead of just doing a standard electrum seed, you do a 2 of 3 multisig. The signers are:
This way, if someone owns that computer they can’t sign transactions without involving the trezor, which has a physical button to confirm a request for signing. And if you lose the trezor or something goes strange with the software, you can still spend your bitcoin by breaking out seed 2 from your encrypted database.
Protects against: DFLHC
Partial protects against: SA
Vulnerable to: WM
In the end, for anything involving Bitcoin something (usually a computer) needs to have the private key in memory to do the elliptic curve signing operation. There is no way around this, the question what that thing is going to be and where do the keys get stored.
These are things I haven’t personally tried but seem to have some merit. There might be problems I’m not thinking of. The solutions might not work at all.
A third party signer scheme is one where you use multisig, usually in a 2of3 pattern. Similar to the super fancy solution above, you directly control two of the seeds. One regular seed and one recovery seed that you need to store safely. But in normal use, your regular seed and the key of the third party signer are used.
The signer can enforce rules on transactions before signing them, such as:
This could provide a lot of protection against things described above in addition to protection from mistakes. If you are forcing a 24 hour time delay for example, you have an opportunity to catch mistakes or for someone to get tired of hitting you with a wrench.
The third party only has 1 of the 3 keys, so they can’t spend your coin without you and you have 2 of 3 yourself so you can always spend your coin without them if they disappear or stop working. You still have the problems of securely storing that recovery seed.
I like the idea of this, but haven’t messed with it enough to fully recommend.